]>
Commit | Line | Data |
---|---|---|
ef7eaa4c DSH |
1 | =pod |
2 | ||
3 | =head1 NAME | |
4 | ||
09483c58 | 5 | dhparam - DH parameter manipulation and generation |
ef7eaa4c DSH |
6 | |
7 | =head1 SYNOPSIS | |
8 | ||
41918458 | 9 | B<openssl dhparam> |
169394d4 | 10 | [B<-help>] |
ef7eaa4c DSH |
11 | [B<-inform DER|PEM>] |
12 | [B<-outform DER|PEM>] | |
41918458 BM |
13 | [B<-in> I<filename>] |
14 | [B<-out> I<filename>] | |
15 | [B<-dsaparam>] | |
fc1d88f0 | 16 | [B<-check>] |
ef7eaa4c DSH |
17 | [B<-noout>] |
18 | [B<-text>] | |
19 | [B<-C>] | |
09483c58 DSH |
20 | [B<-2>] |
21 | [B<-5>] | |
41918458 | 22 | [B<-rand> I<file(s)>] |
bfa35550 | 23 | [B<-engine id>] |
41918458 | 24 | [I<numbits>] |
ef7eaa4c DSH |
25 | |
26 | =head1 DESCRIPTION | |
27 | ||
28 | This command is used to manipulate DH parameter files. | |
29 | ||
30 | =head1 OPTIONS | |
31 | ||
32 | =over 4 | |
33 | ||
169394d4 MR |
34 | =item B<-help> |
35 | ||
36 | Print out a usage message. | |
37 | ||
ef7eaa4c DSH |
38 | =item B<-inform DER|PEM> |
39 | ||
40 | This specifies the input format. The B<DER> option uses an ASN1 DER encoded | |
41 | form compatible with the PKCS#3 DHparameter structure. The PEM form is the | |
42 | default format: it consists of the B<DER> format base64 encoded with | |
43 | additional header and footer lines. | |
44 | ||
45 | =item B<-outform DER|PEM> | |
46 | ||
1bc74519 | 47 | This specifies the output format, the options have the same meaning as the |
ef7eaa4c DSH |
48 | B<-inform> option. |
49 | ||
41918458 | 50 | =item B<-in> I<filename> |
ef7eaa4c DSH |
51 | |
52 | This specifies the input filename to read parameters from or standard input if | |
53 | this option is not specified. | |
54 | ||
41918458 | 55 | =item B<-out> I<filename> |
ef7eaa4c DSH |
56 | |
57 | This specifies the output filename parameters to. Standard output is used | |
58 | if this option is not present. The output filename should B<not> be the same | |
59 | as the input filename. | |
60 | ||
41918458 BM |
61 | =item B<-dsaparam> |
62 | ||
63 | If this option is used, DSA rather than DH parameters are read or created; | |
64 | they are converted to DH format. Otherwise, "strong" primes (such | |
65 | that (p-1)/2 is also prime) will be used for DH parameter generation. | |
66 | ||
67 | DH parameter generation with the B<-dsaparam> option is much faster, | |
68 | and the recommended exponent length is shorter, which makes DH key | |
69 | exchange more efficient. Beware that with such DSA-style DH | |
70 | parameters, a fresh DH key should be created for each use to | |
71 | avoid small-subgroup attacks that may be possible otherwise. | |
72 | ||
fc1d88f0 RS |
73 | =item B<-check> |
74 | ||
eeb21772 MC |
75 | Performs numerous checks to see if the supplied parameters are valid and |
76 | displays a warning if not. | |
fc1d88f0 | 77 | |
09483c58 DSH |
78 | =item B<-2>, B<-5> |
79 | ||
b5a379aa EK |
80 | The generator to use, either 2 or 5. If present then the |
81 | input file is ignored and parameters are generated instead. If not | |
82 | present but B<numbits> is present, parameters are generated with the | |
83 | default generator 2. | |
09483c58 | 84 | |
41918458 | 85 | =item B<-rand> I<file(s)> |
09483c58 DSH |
86 | |
87 | a file or files containing random data used to seed the random number | |
9b86974e | 88 | generator, or an EGD socket (see L<RAND_egd(3)>). |
35ed393e | 89 | Multiple files can be specified separated by an OS-dependent character. |
b87ef946 | 90 | The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for |
a4cfd178 | 91 | all others. |
09483c58 | 92 | |
41918458 | 93 | =item I<numbits> |
09483c58 DSH |
94 | |
95 | this option specifies that a parameter set should be generated of size | |
b5a379aa EK |
96 | I<numbits>. It must be the last option. If this option is present then |
97 | the input file is ignored and parameters are generated instead. If | |
98 | this option is not present but a generator (B<-2> or B<-5>) is | |
99 | present, parameters are generated with a default length of 2048 bits. | |
09483c58 | 100 | |
ef7eaa4c DSH |
101 | =item B<-noout> |
102 | ||
103 | this option inhibits the output of the encoded version of the parameters. | |
104 | ||
105 | =item B<-text> | |
106 | ||
107 | this option prints out the DH parameters in human readable form. | |
108 | ||
109 | =item B<-C> | |
110 | ||
111 | this option converts the parameters into C code. The parameters can then | |
bbd86bf5 | 112 | be loaded by calling the get_dhNNNN() function. |
ef7eaa4c | 113 | |
bfa35550 RL |
114 | =item B<-engine id> |
115 | ||
e5fa864f | 116 | specifying an engine (by its unique B<id> string) will cause B<dhparam> |
bfa35550 RL |
117 | to attempt to obtain a functional reference to the specified engine, |
118 | thus initialising it if needed. The engine will then be set as the default | |
119 | for all available algorithms. | |
120 | ||
ef7eaa4c DSH |
121 | =back |
122 | ||
09483c58 DSH |
123 | =head1 WARNINGS |
124 | ||
125 | The program B<dhparam> combines the functionality of the programs B<dh> and | |
b0700d2c | 126 | B<gendh> in previous versions of OpenSSL. The B<dh> and B<gendh> |
1bc74519 | 127 | programs are retained for now but may have different purposes in future |
09483c58 DSH |
128 | versions of OpenSSL. |
129 | ||
ef7eaa4c DSH |
130 | =head1 NOTES |
131 | ||
132 | PEM format DH parameters use the header and footer lines: | |
133 | ||
134 | -----BEGIN DH PARAMETERS----- | |
135 | -----END DH PARAMETERS----- | |
136 | ||
137 | OpenSSL currently only supports the older PKCS#3 DH, not the newer X9.42 | |
138 | DH. | |
139 | ||
140 | This program manipulates DH parameters not keys. | |
141 | ||
142 | =head1 BUGS | |
143 | ||
ef7eaa4c DSH |
144 | There should be a way to generate and manipulate DH keys. |
145 | ||
146 | =head1 SEE ALSO | |
147 | ||
9b86974e | 148 | L<dsaparam(1)> |
ef7eaa4c | 149 | |
e2f92610 RS |
150 | =head1 COPYRIGHT |
151 | ||
152 | Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved. | |
153 | ||
154 | Licensed under the OpenSSL license (the "License"). You may not use | |
155 | this file except in compliance with the License. You can obtain a copy | |
156 | in the file LICENSE in the source distribution or at | |
157 | L<https://www.openssl.org/source/license.html>. | |
158 | ||
159 | =cut |